Stored Cross-Site Scripting Vulnerability in Pharmacy POS PHP Script
CVE-2025-40724

5.1MEDIUM

Key Information:

Vendor

Pharmacy Pos PHP Script

Status
Pharmacy Pos PHP Script
Vendor
CVE Published:
16 July 2025

What is CVE-2025-40724?

A vulnerability in the Pharmacy POS PHP Script allows attackers to exploit stored Cross-Site Scripting (XSS) by injecting malicious JavaScript through the u_medicine_name parameter in the /edit_medicine.php endpoint. This flaw can be used to execute arbitrary scripts in the context of the victim’s browser, potentially leading to the theft of sensitive information, including session cookies, and unauthorized actions performed on behalf of the user. It is critical for users and developers to implement mitigations to prevent XSS attacks and protect user data.

Affected Version(s)

Pharmacy POS PHP Script all versions

References

https://www.incibe.es/en/incibe-cert/notices/aviso/stored...

CVSS V4

Score:
5.1
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Gonzalo Aguilar GarcĂ­a (6h4ack)
.